Upcoming Pidgin security disclosures

Mark Doliner mark at kingant.net
Sat Aug 20 14:12:49 EDT 2011

On Fri, Aug 19, 2011 at 5:38 AM, Tomas Hoger <thoger at redhat.com> wrote:
> On Thu, 18 Aug 2011 02:14:18 -0700 Mark Doliner wrote:
>> 2. Remote crash in MSN protocol plugin (yes, another one).  You
>> haven't heard about this one yet.  Caused by incorrect handling of
>> HTTP 100 Continue responses from MSN servers when using the HTTP
>> connection method.  The HTTP connection method is not a default
>> setting--it must have been enabled by the user for them to be
>> susceptible to this attack.  We believe it is not possible to execute
>> code.  It is possible for the server to trigger a crash.
> Is this a buffer over-read as the patch suggests?

I believe so, yes.

> Looks like the
> server needs to provide enough headers for the over-read size to be of
> its choosing.

Right.  Well, I think it's not the number of headers so much as the
combined length of all the remaining headers.

>> We do not know whether it is possible for a remote user to trigger a
>> crash, but it seems unlikely to us.  This bug isn't too bad, so my
>> preference is to NOT get a CVE# for it.  But if people think a CVE#
>> is a good idea then let's do it.
> I'd say this should really depend on whether crashes by malicious
> servers (or MITM attackers manipulating traffic to/from a server) are
> considered security for pidgin, or rather viewed as undesired nuisance
> which is still fairly unimportant compared to the actual use of
> malicious server / MITMed server connection.  I agree this sounds more
> like a bug.

I generally wouldn't consider crashes caused by MITM attackers or
malicious servers to be CVE-worthy.  Definitely something that should
be fixed.  But not something that is likely to lead to remote crashes
or exploits on a grand scale.


More information about the Packagers mailing list